Skip to content

RUN-4569 Mitigate Jackson CVE-2026-54512/54513#48

Open
fdevans wants to merge 1 commit into
mainfrom
RUN-4569-jackson
Open

RUN-4569 Mitigate Jackson CVE-2026-54512/54513#48
fdevans wants to merge 1 commit into
mainfrom
RUN-4569-jackson

Conversation

@fdevans

@fdevans fdevans commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bump rundeck-core to 6.1.0-SNAPSHOT, which pulls patched jackson-databind 2.22.0 transitively, mitigating CVE-2026-54512 / CVE-2026-54513.
  • Standardize the axion-release plugin to 1.21.2.
  • Add the Central Portal Snapshots repository so the SNAPSHOT resolves.

Test plan

  • rundeck-core:6.1.0-SNAPSHOT and jackson-databind:2.22.0 resolve on compileClasspath (verified locally).
  • CI build and Snyk scan pass on the branch.

Bump rundeck-core to 6.1.0-SNAPSHOT, which pulls the patched jackson-databind 2.22.0 transitively and mitigates CVE-2026-54512 / CVE-2026-54513.
- Standardize the axion-release plugin to 1.21.2.
- Add the Central Portal Snapshots repository so the SNAPSHOT resolves.
Copilot AI review requested due to automatic review settings July 1, 2026 16:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Mitigates Jackson CVE-2026-54512 / CVE-2026-54513 exposure in the build dependency graph by updating the Rundeck core dependency to a patched snapshot, while aligning the release/versioning plugin version and adding snapshot repository resolution.

Changes:

  • Bump org.rundeck:rundeck-core to 6.1.0-SNAPSHOT via the version catalog.
  • Standardize pl.allegro.tech.build.axion-release to 1.21.2 via the version catalog.
  • Add a Maven snapshots repository intended to resolve the Rundeck SNAPSHOT artifacts.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
gradle/libs.versions.toml Updates catalog versions for rundeck-core (SNAPSHOT) and Axion release plugin.
build.gradle Adds an additional Maven repository intended to resolve org.rundeck SNAPSHOT artifacts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants